Security Incidents mailing list archives

RE: Odd scans and stuff bouncing off firewalls

From: "Edwards, David (JTS)" <Edwards.Dave () saugov sa gov au>
Date: Wed, 14 Aug 2002 09:40:18 +0930

Hi,

-----Original Message-----
From: Craig Billado [mailto:billadoc () us ibm com]
Sent: Wednesday, 14 August 2002 3:20 AM
Cc: incidents () securityfocus com
Subject: Re: Odd scans and stuff bouncing off firewalls

Nexus,

I agree that there is a lot of overhead maintaining external 
IDS sensors.
In the event that the "filtering device" fails, however, 
subsequent attacks
into and through the DMZ may be difficult to detect without them.


[snip sweet comment :-]

If you feel that
the border firewall is impervious to attack or compromise -- 
moreover, that 
the internal sensors are equipped to detect the consequences 
thereof --
then I suppose an external sensor can be dismissed. 
Otherwise, I'd keep one
out there on the wild-side.


This has all the hallmarks of a religious debate eh..

I've thought long and hard about this and FWIW, the 
conclusion I came up with was this.

IDS is designed to "detect" intrusions which seems to 
imply that it goes behind the devices designed to "block" them, 
else you are installing "Attempted Intrusion Detection Systems".  
Hmmm, I don't think I want to add that to my CV ;-)

A perimeter normally consists of multiple security devices
including an external filter (router) and internal, much
smarter firewall.  So where would you put the external
sensor if you want to see all attack attempts aimed at
you?  

Between the firewall and the filter?  But then it would 
miss most of the port scans if the filter is doing its job.

Outside the filter?  But then you are basically just gathering
stats and dshield already does a brilliant job here.


Each to their own of course.  I can see a need to install 
an external sensor if your business is network security as 
you need to test the efficiency of the IDS sensor, but you are 
just making a rod for you own back if you install them outside 
an ordinary corporate network.  

In any case, logs from the filter and firewall will normally
give you most of the data you want.

ciao



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

RE: Odd scans and stuff bouncing off firewalls Steve Vawter (Aug 13)
- RE: Odd scans and stuff bouncing off firewalls Greg A. Woods (Aug 13)
- <Possible follow-ups>
- Re: Odd scans and stuff bouncing off firewalls Craig Billado (Aug 13)
- RE: Odd scans and stuff bouncing off firewalls Edwards, David (JTS) (Aug 14)